ConfigsJul 7, 2026·3 min read

bcrypt.js — Industry-Standard Password Hashing for Node.js

A native C++ bcrypt implementation for Node.js providing secure password hashing and verification.

Agent ready

Ready-to-run agent install

This asset can be installed after the agent chooses its runtime, checks the plan, and runs the matching command.

Native · 98/100Policy: allow
Agent surface
Any MCP/CLI agent
Kind
Skill
Install
Single
Trust
Trust: Established
Entrypoint
bcrypt.js Overview
Direct install command
npx -y tokrepo@latest install 6738c344-799e-11f1-9bc6-00163e2b0d79 --target codex

Run after dry-run confirms the install plan.

Introduction

bcrypt for Node.js is a native addon that implements the bcrypt password hashing algorithm. bcrypt is deliberately slow and computationally expensive, making brute-force attacks impractical. This library is the standard choice for hashing and verifying user passwords in Node.js applications and has been battle-tested across thousands of production systems.

What bcrypt Does

  • Hashes passwords using the bcrypt algorithm with configurable cost factor
  • Verifies plaintext passwords against stored bcrypt hashes
  • Generates cryptographically secure random salts automatically
  • Provides both async (Promise-based) and sync APIs
  • Uses a native C++ binding for optimal performance

Architecture Overview

The library wraps the OpenBSD bcrypt reference implementation in a C++ Node.js native addon via node-addon-api. When hashing, it generates a random 16-byte salt, applies the Blowfish-based key derivation function for 2^cost rounds, and produces a 60-character hash string encoding the algorithm version, cost factor, salt, and hash. The async API offloads the CPU-intensive hashing to a worker thread pool so the Node.js event loop is not blocked.

Self-Hosting & Configuration

  • Install via npm: npm install bcrypt (requires a C++ compiler for native build)
  • Set the cost factor (salt rounds) based on your security needs: 10 is a common default
  • Use the async API in web servers to avoid blocking: await bcrypt.hash(password, 10)
  • For environments without native compilation, use the pure JS fallback: npm install bcryptjs
  • The output hash string is self-describing, so no separate salt storage is needed

Key Features

  • Adaptive cost factor: increase rounds as hardware gets faster
  • Automatic salt generation eliminates manual salt management
  • Async API prevents event loop blocking during hashing
  • Self-contained hash strings include algorithm version, cost, and salt
  • Native C++ implementation for maximum throughput

Comparison with Similar Tools

  • bcryptjs — pure JavaScript implementation; slower but requires no native compilation
  • argon2 — newer algorithm (PHC winner); stronger but less universally supported
  • scrypt (crypto.scrypt) — built into Node.js crypto; bcrypt has wider ecosystem adoption
  • PBKDF2 — available in Node.js crypto; bcrypt is more resistant to GPU-based attacks

FAQ

Q: What salt rounds value should I use? A: Start with 10. Each increment doubles the computation time. Benchmark on your hardware and aim for 250ms or more per hash.

Q: Do I need to store the salt separately? A: No. The bcrypt hash string embeds the salt, algorithm version, and cost factor. Store only the hash.

Q: Why does installation fail on some systems? A: bcrypt requires a C++ compiler and Python for node-gyp. If native builds are not possible, use the pure JavaScript bcryptjs package instead.

Q: Is bcrypt still secure in 2025? A: Yes. With an appropriate cost factor (12+), bcrypt remains resistant to brute-force attacks. Argon2 is the newer standard but bcrypt is still widely trusted.

Sources

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets